Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin before 2.76 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) disqus_replace, (2) disqus_public_key, or (3) disqus_secret_key parameter to wp-admin/edit-comments.php in manage.php or that (4) reset or (5) delete plugin options via the reset parameter to wp-admin/edit-comments.php.
Weakness
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Disqus_comment_system | Disqus | * | 2.75 (including) |
| Disqus_comment_system | Disqus | 2.40 (including) | 2.40 (including) |
| Disqus_comment_system | Disqus | 2.41 (including) | 2.41 (including) |
| Disqus_comment_system | Disqus | 2.42 (including) | 2.42 (including) |
| Disqus_comment_system | Disqus | 2.43 (including) | 2.43 (including) |
| Disqus_comment_system | Disqus | 2.44 (including) | 2.44 (including) |
| Disqus_comment_system | Disqus | 2.45 (including) | 2.45 (including) |
| Disqus_comment_system | Disqus | 2.46 (including) | 2.46 (including) |
| Disqus_comment_system | Disqus | 2.47 (including) | 2.47 (including) |
| Disqus_comment_system | Disqus | 2.48 (including) | 2.48 (including) |
| Disqus_comment_system | Disqus | 2.49 (including) | 2.49 (including) |
| Disqus_comment_system | Disqus | 2.50 (including) | 2.50 (including) |
| Disqus_comment_system | Disqus | 2.51 (including) | 2.51 (including) |
| Disqus_comment_system | Disqus | 2.52 (including) | 2.52 (including) |
| Disqus_comment_system | Disqus | 2.53 (including) | 2.53 (including) |
| Disqus_comment_system | Disqus | 2.54 (including) | 2.54 (including) |
| Disqus_comment_system | Disqus | 2.55 (including) | 2.55 (including) |
| Disqus_comment_system | Disqus | 2.60 (including) | 2.60 (including) |
| Disqus_comment_system | Disqus | 2.61 (including) | 2.61 (including) |
| Disqus_comment_system | Disqus | 2.62 (including) | 2.62 (including) |
| Disqus_comment_system | Disqus | 2.63 (including) | 2.63 (including) |
| Disqus_comment_system | Disqus | 2.64 (including) | 2.64 (including) |
| Disqus_comment_system | Disqus | 2.65 (including) | 2.65 (including) |
| Disqus_comment_system | Disqus | 2.66 (including) | 2.66 (including) |
| Disqus_comment_system | Disqus | 2.67 (including) | 2.67 (including) |
| Disqus_comment_system | Disqus | 2.68 (including) | 2.68 (including) |
| Disqus_comment_system | Disqus | 2.69 (including) | 2.69 (including) |
| Disqus_comment_system | Disqus | 2.70 (including) | 2.70 (including) |
| Disqus_comment_system | Disqus | 2.71 (including) | 2.71 (including) |
| Disqus_comment_system | Disqus | 2.72 (including) | 2.72 (including) |
| Disqus_comment_system | Disqus | 2.73 (including) | 2.73 (including) |
| Disqus_comment_system | Disqus | 2.74 (including) | 2.74 (including) |
Potential Mitigations
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330]
- Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
- Use the “double-submitted cookie” method as described by Felten and Zeller:
- When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user’s machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same.
- Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult.
- This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331]
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/111.html
- https://cwe.mitre.org/data/definitions/462.html
- https://cwe.mitre.org/data/definitions/467.html
- https://cwe.mitre.org/data/definitions/62.html
References
- http://packetstormsecurity.com/files/127847/WordPress-Disqus-2.7.5-CSRF-Cross-Site-Scripting.html
- http://packetstormsecurity.com/files/127852/Disqus-2.7.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
- http://seclists.org/fulldisclosure/2014/Aug/35
- http://www.exploit-db.com/exploits/34336
- http://www.securityfocus.com/bid/69205
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95288
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95289
- https://gist.github.com/nikcub/cb5dc7a5464276c8424a
- https://wordpress.org/plugins/disqus-comment-system/other_notes
- https://www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-plugin
- http://packetstormsecurity.com/files/127847/WordPress-Disqus-2.7.5-CSRF-Cross-Site-Scripting.html
- http://packetstormsecurity.com/files/127852/Disqus-2.7.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
- http://seclists.org/fulldisclosure/2014/Aug/35
- http://www.exploit-db.com/exploits/34336
- http://www.securityfocus.com/bid/69205
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95288
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95289
- https://gist.github.com/nikcub/cb5dc7a5464276c8424a
- https://wordpress.org/plugins/disqus-comment-system/other_notes
- https://www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-plugin